diff --git a/roles/network_plugin/calico/templates/calico-cr.yml.j2 b/roles/network_plugin/calico/templates/calico-cr.yml.j2
index e5238d8d30020242359865386bf09a7d5b57ee72..5a3d9286f00cf89560c6b788069a1226c90d88df 100644
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@@ -13,6 +13,16 @@ rules:
       - configmaps
     verbs:
       - get
+{% if calico_version is version("v3.20.0", ">=") %}
+  # EndpointSlices are used for Service-based network policy rule
+  # enforcement.
+  - apiGroups: ["discovery.k8s.io"]
+    resources:
+      - endpointslices
+    verbs:
+      - watch
+      - list
+{% endif %}
   - apiGroups: [""]
     resources:
       - endpoints